filter.lua 8.8 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1
2
--[[
Filter module for Alpine Wall
3
Copyright (C) 2012-2013 Kaarle Ritvanen
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
4
See LICENSE file for license details
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
5
6
7
8
9
]]--


module(..., package.seeall)

10
11
12
local resolve = require('awall.host').resolve
local model = require('awall.model')
local combinations = require('awall.optfrag').combinations
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
13

14
15
local util = require('awall.util')
local extend = util.extend
16
local listpairs = util.listpairs
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
17

18
19
local RECENT_MAX_COUNT = 20

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
20

21
22
23
24
25
26
27
28
29
local RelatedRule = model.class(model.Rule)

function RelatedRule:servoptfrags()
   local helpers = {}
   for i, serv in listpairs(self.service) do
      for i, sdef in listpairs(serv) do
	 local helper = sdef['ct-helper']
	 if helper then
	    helpers[helper] = {
30
	       family=sdef.family,
31
	       opts='-m conntrack --ctstate RELATED -m helper --helper '..helper
32
33
34
35
36
37
38
39
	    }
	 end
      end
   end
   return util.values(helpers)
end


Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
40
41
local Filter = model.class(model.Rule)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
42
43
44
45
46
47
48
49
50
function Filter:init(...)
   model.Rule.init(self, unpack(arg))

   -- alpine v2.4 compatibility
   if util.contains({'logdrop', 'logreject'}, self.action) then
      self:warning('Deprecated action: '..self.action)
      self.action = string.sub(self.action, 4, -1)
   end

51
52
   local log = require('awall').loadclass('log').get
   self.log = log(self, self.log, self.action ~= 'accept')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
53

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
54
   local limit = self:limit()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
55
56
57
58
   if limit then
      if type(self[limit]) ~= 'table' then
	 self[limit] = {count=self[limit]}
      end
59
      self[limit].log = log(self, self[limit].log, true)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
60
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
61
62
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
63
64
65
66
function Filter:destoptfrags()
   local ofrags = model.Rule.destoptfrags(self)
   if not self.dnat then return ofrags end

67
   ofrags = combinations(ofrags, {{family='inet6'}})
68
   local natof = self:create(model.Zone, {addr=self.dnat}):optfrags('out')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
69
70
71
72
73
74
75
76
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

function Filter:trules()
   local res = {}

77
78
   local function extrarules(cls, extra, src)
      if not src then src = self end
79
      local params = {}
80
81
82
83
      for i, attr in ipairs(
	 {'in', 'out', 'src', 'dest', 'ipset', 'ipsec', 'service'}
      ) do
	 params[attr] = src[attr]
84
      end
85
      util.update(params, extra)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
86
      return extend(res, self:create(cls, params):trules())
87
88
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
89
   if self.dnat then
90
91
92
      if self.action ~= 'accept' then
	 self:error('dnat option not allowed with '..self.action..' action')
      end
93
94
95
      if self['no-track'] then
	 self:error('dnat option not allowed with no-track')
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
96
      if not self.dest then
97
	 self:error('Destination address must be specified with DNAT')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
98
99
      end
      if string.find(self.dnat, '/') then
100
	 self:error('DNAT target cannot be a network address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
101
102
103
      end
      for i, attr in ipairs({'ipsec', 'ipset'}) do
	 if self[attr] then
104
	    self:error('dnat and '..attr..' options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
105
106
107
108
	 end
      end

      local dnataddr
109
      for i, addr in ipairs(resolve(self.dnat, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
110
111
	 if addr[1] == 'inet' then
	    if dnataddr then
112
	       self:error(self.dnat..' resolves to multiple IPv4 addresses')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
113
114
115
116
117
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
118
	 self:error(self.dnat..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
119
120
      end

121
      extrarules('dnat', {['to-addr']=dnataddr, out=nil})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
122
123
   end

124
125
126
   if self.action == 'tarpit' or self['no-track'] then
      extrarules('no-track')
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
127

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
128
   extend(res, model.Rule.trules(self))
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
129

130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
   if self.action == 'accept' then
      local nr = #res

      if self.related then
	 for i, rule in listpairs(self.related) do
	    extrarules(
	       RelatedRule,
	       {service=self.service, action='accept'},
	       rule
	    )
	 end
      else
	 -- TODO avoid creating unnecessary RELATED rules by introducing
	 -- helper direction attributes to service definitions
	 extrarules(RelatedRule, {action='accept'})
	 extrarules(RelatedRule, {reverse=true, action='accept'})
      end

      if self['no-track'] then
	 if #res > nr then
	    self:error('Tracking required by service')
	 end
	 extrarules('no-track', {reverse=true})
	 extrarules('filter', {reverse=true, action='accept', log=false})
      end
155
156
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
157
158
159
   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
160
161
162
163
164
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
165
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
166
167
168
169
170
171
172
173
174
175
176
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
   return self:limit() == 'flow-limit' and 'prepend' or 'append'
end

177
178
179
180
181
182
183
184
function Filter:actiontarget()
   if self.action == 'tarpit' then return 'tarpit' end
   if util.contains({'drop', 'reject'}, self.action) then
      return string.upper(self.action)
   end
   return model.Rule.target(self)
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
185
function Filter:target()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
186
187
   if self:limit() then return self:newchain('limit') end
   if self.log then return self:newchain('log'..self.action) end
188
   return self:actiontarget()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
189
190
191
192
end

function Filter:extraoptfrags()
   local res = {}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
193

194
195
196
197
198
199
200
201
   local function logchain(log, action, target)
      if not log then return target end
      local chain = self:newchain('log'..action)
      extend(
	 res,
	 combinations({{chain=chain}}, {log:optfrag(), {target=target}})
      )
      return chain
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
202
203
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
204
205
206
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
207
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
208
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
209

210
      local chain = self:newchain('limit')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
211
      local limitlog = self[limit].log
212
      local count = self[limit].count
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
213
      local interval = self[limit].interval or 1
214
215
216
217
218
219
220
221
222

      if count > RECENT_MAX_COUNT then
	 count = math.ceil(count / interval)
	 interval = 1
      end

      local ofrags
      if count > RECENT_MAX_COUNT then
	 ofrags = {
223
	    {
224
	       opts='-m hashlimit --hashlimit-upto '..count..'/second --hashlimit-burst '..count..' --hashlimit-mode srcip --hashlimit-name '..chain,
225
226
227
	       target=logchain(self.log, 'accept', 'ACCEPT')
	    },
	    {target='DROP'}
228
	 }
229
	 if limitlog then table.insert(ofrags, 2, limitlog:optfrag()) end
230
231
232
233
234
235
      else
	 ofrags = combinations(
	    {{opts='-m recent --name '..chain}},
	    {
	       {
		  opts='--update --hitcount '..count..' --seconds '..interval,
236
		  target=logchain(limitlog, 'drop', 'DROP')
237
	       },
238
	       {opts='--set', target='ACCEPT'}
239
240
	    }
	 )
241
	 if self.log then table.insert(ofrags, 2, self.log:optfrag()) end
242
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
243

244
      extend(res, combinations({{chain=chain}}, ofrags))
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
245

246
   else logchain(self.log, self.action, self:actiontarget()) end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
247
   
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
248
249
250
251
252
253
254
255
256
257
   return res
end



local Policy = model.class(Filter)

function Policy:servoptfrags() return nil end


258
259
local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}

260
261
262
function stateful(config)
   local res = {}

263
264
265
266
267
   for i, family in ipairs{'inet', 'inet6'} do

      local er = combinations(
	 fchains,
	 {{opts='-m conntrack --ctstate ESTABLISHED'}}
268
      )
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
      for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
	 table.insert(
	    er,
	    {
	       chain=chain,
	       opts='-'..string.lower(string.sub(chain, 1, 1))..' lo'
	    }
	 )
      end
      extend(
	 res,
	 combinations(er, {{family=family, table='filter', target='ACCEPT'}})
      )

      -- TODO avoid creating unnecessary CT rules by inspecting the
      -- filter rules' target families and chains
      local visited = {}
      local ofrags = {}
      for i, rule in listpairs(config.filter) do
	 for i, serv in listpairs(rule.service) do
	    if not visited[serv] then
	       for i, sdef in listpairs(serv) do
		  if sdef['ct-helper'] then
		     local of = combinations(
			model.Rule.morph{service={sdef}}:servoptfrags(),
			{{family=family}}
		     )
		     if of[1] then
			assert(#of == 1)
			of[1].target = 'CT --helper '..sdef['ct-helper']
			table.insert(ofrags, of[1])
		     end
		  end
302
	       end
303
	       visited[serv] = true
304
305
306
	    end
	 end
      end
307
308
309
310
311
312
313
      extend(
	 res,
	 combinations(
	    {{table='raw'}},
	    {{chain='PREROUTING'}, {chain='OUTPUT'}},
	    ofrags
	 )
314
      )
315
   end
316
317

   return res
318
end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
319

320
321
local icmp = {{family='inet', table='filter', opts='-p icmp'}}
local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}}
322
323
324
325
326
327
328
local ir = combinations(
   icmp6,
   {{chain='INPUT'}, {chain='OUTPUT'}},
   {{target='ACCEPT'}}
)
extend(ir, combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
extend(ir, combinations(icmp, fchains, {{target='icmp-routing'}}))
329
330

local function icmprules(ofrag, oname, types)
331
332
333
334
335
336
337
338
339
   extend(
      ir,
      combinations(ofrag,
		   {{chain='icmp-routing', target='ACCEPT'}},
		   util.map(types,
			    function(t)
			       return {opts='--'..oname..' '..t}
			    end))
   )
340
341
342
end
icmprules(icmp, 'icmp-type', {3, 11, 12})
icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
343

344
345
346
export = {
   filter={class=Filter, before={'dnat', 'no-track'}},
   policy={class=Policy, after='%filter-after'},
347
   ['%filter-before']={rules=stateful, before='filter'},
348
349
350
   ['%filter-after']={rules=ir, after='filter'}
}

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
351
352
353
achains = combinations({{chain='tarpit'}},
		       {{opts='-p tcp', target='TARPIT'},
			{target='DROP'}})
354